Distributed Denial of Service (DDOS) Attacks: How They Work
When a malicious user wants to disrupt web services, they often use a distributed denial of service (DDoS) attack. You’ve probably heard the phrase countless times in the media.
The basic idea is always the same: send so much junk to a server that legitimate traffic cannot get through.
DDoS has been used against root domain servers in a bid to shut down the entire world wide web. Despite being as old as the internet itself, DDOS is still one of the most effective tools malicious users have at their disposal.
But what does a DDoS attack actually involve?
We first have to understand both denial of service and distributed denial of service.
What is a DDoS Attack?
The difference between DOS and DDOS is in the origin of the attack.
- A denial of service (DOS) attack comes from a single person or network.
- A distributed denial of service attack (DDOS) will involve computers from networks all over the world. (Distributing the attack amplifies it, and it also makes it more difficult for the affected party to protect itself.)
Most DOS attacks you’ll hear about today are really DDOS attacks. They utlise botnets – multiple computers all acting under the control of a malicious individual or group. Botnets are usually created by the installation of malware, and normally this malware has been installed without the user’s permission or knowledge.
In this article, we’ll use the terms DOS and DDOS interchangeably, since it would be rare for an attack not to be distributed.
How a Denial of Service Attack Works
The simple approach to DOS is to flood a server with a large amount of pointless traffic. This gives the server far too much to deal with. Bandwidth escalates, memory is exhausted and ordinary users can’t get a connection to the server.
But actually maxing out a server can be quite difficult, even with a large number of computers opening up as many connections as they can. As such, attackers have come up with a way to magnify the effect by using fake IP addresses.
Using fake IPs, the same process can be carried out by one computer, a botnet that’s controlled by one master or, as with Operation Payback, a group of people working together.
Here’s what happens.
- The attacking machine sends a SYN packet to the server. However, it makes it appear to come from somewhere else.
- The server then responds with a SYN/ACK packet, but there’s no response – the sender address was fake.
- The server continues to wait for a reply, keeping the connection open and in its memory until it times out.
The server keeps a bunch of useless connections open, losing more and more memory to the attack and eventually becoming crippled.
The strategy is actually fairly successful. It has slowed or crashed some prominent sites.
However, companies have become wise to DDOS attacks and have begun to take some precautions.
Defending Against a DDOS Attack
There are several ways to defend against a DDOS attack. None can guarantee prevention, but the website owner does have options:
- Filtering: Routers at the edge of the network can be trained to spot and drop DDOS connections, preventing them from slowing the network or the server.
- Blackholing: A host may simply “blackhole” a site that is being DDOSed, directing all traffic to it to an address that doesn’t exist. This is normally a last resort.
In addition, many companies sell anti-DDOS applications that detect and block attacks.
The only sure-fire way to end a DDOS attack is to wait it out. Most attacks don’t last very long because those with botnets don’t wish to expose their network for too long, and group attacks can’t hold their cohesion forever. Though it may take a few days, the attack will cease of its own accord.
Points to Remember About DDOS Attacks
DDOS attacks are not hacks; the system is not compromised, and data is not exposed. They merely prevent the server from being able to receive legitimate requests for data. Most website owners and hosts will deal with a DDOS problem at some point, but they’re rarely a permanent issue.